Merge pull request #119 from github/brrygrdn/switch-to-ghcr

Switch from GHPR to GHCR for images

.github/workflows/integration-test.yml

@@ -31,10 +31,6 @@ jobs:
 
       - name: Pre-fetch the pinned images
         run: npm run fetch-images
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run integration tests
         run: npm run test-integration
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

__tests__/docker-tags.test.ts

@@ -8,27 +8,27 @@ import {getImageName} from '../src/update-containers'
 describe('Docker tags', () => {
   test('UPDATER_IMAGE_NAME uses a pinned version and matches the config Dockerfile', () => {
     expect(UPDATER_IMAGE_NAME).toMatch(
-      /^docker\.pkg\.github\.com\/dependabot\/dependabot-updater@sha256:[a-zA-Z0-9]{64}$/
+      /^ghcr\.io\/dependabot\/dependabot-updater\/dependabot-updater@sha256:[a-zA-Z0-9]{64}$/
     )
 
     expect(UPDATER_IMAGE_NAME).toEqual(getImageName('Dockerfile.updater'))
   })
 
   test('PROXY_IMAGE_NAME uses a pinned version and matches the config Dockerfile', () => {
     expect(PROXY_IMAGE_NAME).toMatch(
-      /^docker\.pkg\.github\.com\/github\/dependabot-update-job-proxy@sha256:[a-zA-Z0-9]{64}$/
+      /^ghcr\.io\/github\/dependabot-update-job-proxy\/dependabot-update-job-proxy@sha256:[a-zA-Z0-9]{64}$/
     )
 
     expect(PROXY_IMAGE_NAME).toEqual(getImageName('Dockerfile.proxy'))
   })
 
   test('repositoryName returns the image name minus the tagged version or reference for our real values', () => {
     expect(repositoryName(UPDATER_IMAGE_NAME)).toMatch(
-      'docker.pkg.github.com/dependabot/dependabot-updater'
+      'ghcr.io/dependabot/dependabot-updater/dependabot-updater'
     )
 
     expect(repositoryName(PROXY_IMAGE_NAME)).toMatch(
-      'docker.pkg.github.com/github/dependabot-update-job-proxy'
+      'ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy'
     )
   })
 

__tests__/image-service.test.ts

@@ -1,43 +1,7 @@
 import {ImageService} from '../src/image-service'
 
 describe('ImageService', () => {
-  const originalEnv = process.env
-
-  describe('when GITHUB_TOKEN is not set', () => {
-    beforeEach(async () => {
-      jest.resetModules()
-      process.env = {
-        ...originalEnv,
-        GITHUB_TOKEN: undefined
-      }
-    })
-
-    afterEach(async () => {
-      process.env = originalEnv
-    })
-
-    test('it raises an error', async () => {
-      await expect(
-        ImageService.pull('ghcr.io/dependabot/dependabot-core:latest')
-      ).rejects.toThrowError(
-        new Error('No GITHUB_TOKEN set, unable to pull images.')
-      )
-    })
-  })
-
   describe('when asked to fetch non-GitHub hosted images', () => {
-    beforeEach(async () => {
-      jest.resetModules()
-      process.env = {
-        ...originalEnv,
-        GITHUB_TOKEN: 'mock_token'
-      }
-    })
-
-    afterEach(async () => {
-      process.env = originalEnv
-    })
-
     test('it raises an error', async () => {
       await expect(ImageService.pull('hello-world')).rejects.toThrowError(
         new Error(

docker/Dockerfile.proxy

@@ -1 +1 @@
-FROM docker.pkg.github.com/github/dependabot-update-job-proxy@sha256:21ca670ef8ef375e4168be3e1cedfe1a165724314299e147303cbeae57d6ba3c
+FROM ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy@sha256:21ca670ef8ef375e4168be3e1cedfe1a165724314299e147303cbeae57d6ba3c

docker/Dockerfile.updater

@@ -1 +1 @@
-FROM docker.pkg.github.com/dependabot/dependabot-updater@sha256:2b7f7c1905471943879183e67e0ec6b083184824f5ee608852e318a0181dc133
+FROM ghcr.io/dependabot/dependabot-updater/dependabot-updater@sha256:2b7f7c1905471943879183e67e0ec6b083184824f5ee608852e318a0181dc133

docker/containers.json

@@ -1,4 +1,4 @@
 {
-  "proxy": "docker.pkg.github.com/github/dependabot-update-job-proxy@sha256:21ca670ef8ef375e4168be3e1cedfe1a165724314299e147303cbeae57d6ba3c",
-  "updater": "docker.pkg.github.com/dependabot/dependabot-updater@sha256:2b7f7c1905471943879183e67e0ec6b083184824f5ee608852e318a0181dc133"
+  "proxy": "ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy@sha256:21ca670ef8ef375e4168be3e1cedfe1a165724314299e147303cbeae57d6ba3c",
+  "updater": "ghcr.io/dependabot/dependabot-updater/dependabot-updater@sha256:2b7f7c1905471943879183e67e0ec6b083184824f5ee608852e318a0181dc133"
 }

src/image-service.ts

@@ -14,12 +14,9 @@ const endOfStream = async (docker: Docker, stream: Readable): Promise<void> => {
 export const ImageService = {
   async pull(imageName: string, force = false): Promise<void> {
     /*
-      This method fetches images using a GITHUB_TOKEN we should check two things:
-      - The process has a GITHUB_TOKEN set so we don't attempt a failed call to docker
-      - The image being requested is actually hosted on GitHub.
+      This method fetches images hosts on GitHub infrastructure.
 
-      We expose the `fetch_image` utility method to allow us to pull in arbitrary images
-      without auth in unit tests.
+      We expose the `fetch_image` utility method to allow us to pull in arbitrary images for unit tests.
     */
     if (
       !(
@@ -32,10 +29,6 @@ export const ImageService = {
       )
     }
 
-    if (!process.env.GITHUB_TOKEN) {
-      throw new Error('No GITHUB_TOKEN set, unable to pull images.')
-    }
-
     const docker = new Docker()
     try {
       const image = await docker.getImage(imageName).inspect()
@@ -49,10 +42,7 @@ export const ImageService = {
       } // else fallthrough to pull
     }
 
-    const auth = {
-      username: 'x',
-      password: process.env.GITHUB_TOKEN
-    }
+    const auth = {} // Images are public so not authentication info is required
     await this.fetchImage(imageName, auth, docker)
   },